Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mark_Papworth
Participant
Jump to solution

RADIUS Authentication over Site-to-Site VPN

I have set up a Radius Server to authenticate remote-access VPN clients. The Radius server is located at a remote site connected via Site-to-Site VPN on the same gateway the clients connect to.

Authentication fails because the request to the Radius server does not go through the VPN tunnel. Logs show traffic is accepted by an implied rule and consequently not encrypted.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
You need to disable the implied rule for RADIUS.
You can do that by editing the appropriate implied_rules.def, ensuring explicit rules exist for RADIUS where needed and installing policy.
Refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
You need to disable the implied rule for RADIUS.
You can do that by editing the appropriate implied_rules.def, ensuring explicit rules exist for RADIUS where needed and installing policy.
Refer to: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Mark_Papworth
Participant
Thanks. I couldn't figure out where to disable the implied rule.
We've established communication with the Radius server now.
0 Kudos
renanmvc
Explorer

What's the solution?

0 Kudos
Thomas_Eichelbu
Advisor

Hello, 

i have a question to this ...
when you have the firewall doing RADIUS over VPN, what is your source IP? is it the Firewalls external IP?
is it possible to set a specific outgoing IP address? So the closest IP pointing to the destination in easy words.
In a scenario of many many firewalls and NPS servers i want to limit the amount of IP address i have to set on NPS as NAS IP.

is there a way?

best regards

0 Kudos
PhoneBoy
Admin
Admin

It should always use the "nearest" IP to the destination (according to the routing table). 

0 Kudos
Norbert_Giczi
Participant

This worked perfectly with an MDS running on version R80.40 and (a specific CMA's implied_rule.def had to be modified) respective SG running on R80.40. However, it seems since we upgraded the MDS to R81.20 while the relevant SG is still running on version R80.40 this solution does not work any more. While RADIUS implied rule is disabled in the appropriate CMA's implied_rule.def (and policy install was also performed, of course), the behavior remains the original, so RADIUS traffic is still matched by the implied rule.

Any thoughts on this, please? Are you aware of any change in R81.20 or it is simply caused by the version difference between the management and the SG?

PhoneBoy
Admin
Admin

Changes made to .def files are not maintained across version upgrades.
Further, if you are managing older/different gateway versions, you will need to make a change in the relevant backward compatibility directory.
See: https://support.checkpoint.com/results/sk/sk92281

Norbert_Giczi
Participant

Thank you so much for your answer.

Now we can see where the problem lies: the implied_rules.def change was made in the wrong directory (to be more precise, not in the backward compatibility directory). In the meantime, it was decided to go with the SG upgrade to R81.20 and now the RADIUS traffic tunneling works as expected.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events